2 cissp ® Official Study Guide Eighth Edition

Chapter 17  ■ Preventing and Responding to Incidents Monitoring and Investigations

Download 19,3 Mb. Pdf ko'rish bet 725/881 Sana 08.04.2023 Hajmi 19,3 Mb. #925879

Bu sahifa navigatsiya:

• Monitoring and Problem Identification

778 Chapter 17  ■ Preventing and Responding to Incidents Monitoring and Investigations  Audit trails give investigators the ability to reconstruct events long after they have  occurred. They can record access abuses, privilege violations, attempted intrusions, and  many different types of attacks. After detecting a security violation, security professionals  can reconstruct the conditions and system state leading up to the event, during the event,  and after the event through a close examination of the audit trail.  One important consideration is ensuring that logs have accurate time stamps and that  these time stamps remain consistent throughout the environment. A common method is to  set up an internal Network Time Protocol (NTP) server that is synchronized to a trusted  time source such as a public NTP server. Other systems can then synchronize with this  internal NTP server.  NIST operates several time servers that support authentication. Once an NTP server is  properly confi gured, the NIST servers will respond with encrypted and authenticated time  messages. The authentication provides assurances that the response came from a NIST  server.  Systems should have their time synchronized against a centralized or  trusted public time server. This ensures that all audit logs record accurate  and consistent times for recorded events. Monitoring and Problem Identification  Audit trails offer details about recorded events that are useful for administrators. They can  record system failures, OS bugs, and software errors in addition to malicious attacks. Some  log fi les can even capture the contents of memory when an application or system crashes.  This information can help pinpoint the cause of the event and eliminate it as a possible  attack. For example, if a system keeps crashing due to faulty memory, crash dump fi les can  help diagnose the problem.  Using log fi les for this purpose is often labeled as problem identifi cation. Once a problem  is identifi ed, performing problem resolution involves little more than following up on the  disclosed information. Download 19,3 Mb. Do'stlaringiz bilan baham: